HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

restrict "cd" command from sftp user

 
SOLVED
Go to solution
Ahmed_58
Regular Advisor

restrict "cd" command from sftp user

Hi,
I need to restrict an sftp user from using "cd" command.

regards,
Ahmed
9 REPLIES
Aneesh Mohan
Honored Contributor

Re: restrict "cd" command from sftp user

Hi Ahmed,

You can do alias for cd in .profile file.

example:-
alias cd=nocd


regards,
Aneesh
Ahmed_58
Regular Advisor

Re: restrict "cd" command from sftp user

Hi Aneesh,
I did try alias, but this done not work if you are using "sftp" to login in.

Ahmed
saravanan08
Valued Contributor

Re: restrict "cd" command from sftp user

Hi Ahamed,

Kindly refer this thread,

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1264911

you will get an idea.

Aneesh Mohan
Honored Contributor

Re: restrict "cd" command from sftp user

Hi Ahmed.

Okay , you want to restrict a user from moving around home directory right ?.You can accomplish this by chroot.

Please do the below steps .

1)/opt/ssh/utils/ssh_chroot_setup.sh

2)Provide the username and home directory

3)Select chroot secure shell option as SFTP

Regards,
Aneesh
Matti_Kurkela
Honored Contributor
Solution

Re: restrict "cd" command from sftp user

Restricting just the "cd" command is usually not enough, because the user can specify a full path to the PUT and GET commands:

sftp> GET /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 1986 1.9KB/s 00:00
sftp> put badfile /var/tmp
Uploading badfile to /var/tmp/badfile
badfile 100% 66KB 66.3KB/s 00:00
sftp>

Your choices are:
- set file access permissions so that the user cannot read and/or overwrite any unauthorized files (note that there are several essential system files that MUST be readable by every user)

OR

- make sftp-server pretend that there is only the user's directory and essentially nothing else. This is usually implemented with the "chroot" technique.

Please see:

http://docs.hp.com/en/T1471-90033/ch01s12.html

If you have one of the HP-UX SSH versions listed in the document above, please read
/opt/ssh/README.hp on your system. If the chroot technique is suitable to your needs, then use /opt/ssh/utils/ssh_chroot_setup.sh to set it up.

MK
MK
Aneesh Mohan
Honored Contributor

Re: restrict "cd" command from sftp user

Hi Ahmed,

two more steps apart from my last post.

4) you may need to do the below changes in /etc/passwd

before:-
test:Z416JPq0mf6zA:103:20:chrooted user:/home/test/:/bin/sh

after:-
test:Z416JPq0mf6zA:103:20:chrooted user:/home/test/./:/bin/sh

5)/sbin/init.d/secsh stop
/sbin/init.d/secsh start

Regards,
Aneesh
Ahmed_58
Regular Advisor

Re: restrict "cd" command from sftp user

Thanks all,

will try chroot, but first I need to upgrade my ssh version.

will let you know the results.

speciall thanks to MK. for rising the version working with chroot.

points will be given once I compete my test.

Regards,
Ahmed
Aneesh Mohan
Honored Contributor

Re: restrict "cd" command from sftp user

Hi,

You can download the latest version of ssh from the below link.

http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA


Regards,
Aneesh
Ahmed_58
Regular Advisor

Re: restrict "cd" command from sftp user

Thanks to all, it is working now ...

importent to remember...

1. SSH version must be 5.10.x and above
2. use chroot to create the sftp/scp user
3. change /etc/passwd to include /./
4. after using chroot,,, remeber to restart ssh

and finally thanks to all who responsd and helped(points been given)

regards,
Ahmed